3.9 Million Citigroup Customers' Data Lost 602
Rick Zeman writes "CNN.com is reporting that United Parcel Service has lost backup tapes containing the identies of 3.9 million Citigroup customers. According to UPS, '... a "small package" containing data storage tapes was lost while being transferred to a credit reporting bureau.' According to Citigroup, they 'included Social Security numbers, names, account history and loan information about retail customers, and former customers, in the United States.'"
How often does this happen now? (Score:5, Interesting)
Data separation (Score:4, Interesting)
Encryption! Encryption! ENCRYPTION! (Score:2, Interesting)
don't they even care for encrypting data in removable media?
that's so lame!
Re:*blinks* (Score:5, Interesting)
Re:How often does this happen now? (Score:3, Interesting)
In this case, the lost cargo is probably in a UPS warehouse somewhere. They probably ran over the cargo with a forklift, and it's currently unidentifiable.
See http://www.perkinscoie.com/content/ren/updates/ec
Re:*blinks* (Score:2, Interesting)
Re:Sensitive Data via UPS? (Score:3, Interesting)
>
You obviously have zero experience in the shipping field despite your claim to have worked for UPS. It isn't uncommon at times to have 100 times that percentage of packages lost or damanged by us. We are a union shop so the lazy thugs we have can get away with anything. For example at the terminal where I work, a local jewelry store went out of business and shipped-out about four dozen nice watches to a broker. Now almost every employee at this terminal has a nice brand-new watch. Another example, Kel-Tec CNC released a new pistol a couple of years ago. One of the drivers here picked-up the first few batches of pistols from them. Not a one of them made it to the FFL's who ordered them. The BATF couldn't even get UPS to take action against the union.
In both cases UPS couldn't fire a single person. Our union allows us to damage or steal as much as we want to. Your 0.1% number is complete crap. If you're shipping something worthless, broken, or bulky that's not worth the time for a union member to steal, you might only have that small of a loss. Otherwise, my coworkers can and will steal. And good luck colleting from UPS. We pay-out on less than 2% of the packages that are damaged and on less than 5% of the packages lost.
Skinner
Re:Encryption! Encryption! ENCRYPTION! (Score:1, Interesting)
makes me wonder why i even try (Score:3, Interesting)
Re:Unacceptable (Score:2, Interesting)
I believe you hold Citibank responsible for using an inferior carrier as opposed to using an armored carrier or an in-house carrier and at the least encrypting this valuable info (as stated by other people in this thread).
BTW - I write this as someone who has a mortgage with Citigroup so my data could be at risk here. However, my knee is not jerking violently, (yet).
I don't believe this is a kneejerk reaction, I believe it's a totally valid reaction, Choicepoint, BofA, and Citibank are huge companies and all seem to be frivolous with their clients information, and are all held mostly unaccountable. So I believe the correct response would be to insist that something be done to discourage these types of activities. With identity theft getting easier to pull of, the information should be held much more secure than it currently is. Remember, Choicepoint didn't even get their info from the customers whose records they held, yet they let that info get out. As consumers and possible victims, we all need to pressure these corpirations to take the correct actions. I say having a laidback attitude towards these events is the absolute wrong reaction to have and if my own reaction is, in fact, kneejerk, I still feel it's the correct one.
Re:And what did the UPS guy say? (Score:3, Interesting)
You wouldnt believe the amount of software and infastructue is current being expended to meet this deadline. I'm working on it now, Sounds easy doesnt it? Its not.
Re:*blinks* (Score:1, Interesting)
Double standards (Score:1, Interesting)
There is no way in hell that Citigroup trading data would ever have been lost in the way that they lost these customer records... The reason of course is that private trading data is essential to Citigroup profitability.
As other posters have noted, the only way that companies will start seriously protecting customer data is if there is a real financial incentive involved.
Re:How often does this happen now? (Score:3, Interesting)
Someone asked the question whether the University is responsible and would restitute time and money spent recovering from an identity theft that resulted from this, and they basically shrugged it off and said "tough luck", we are not liable here is their FAQ on it [uc.edu].
Actually hackers were very smart, they went for a stupid public institution that still uses social security numbers as student ids and doesn't have the money nor the brains (you'd think a university would at least have that) to protect students' and employees' information. Why bother and go for commercial institutions like banks or why mess with FBI and DOD when you have hundreds of thousands of SSN protected by idiots in IT who couldn't find better jobs in the private sector.
Note: UC just spent millions building shopping and recreation areas around campus but they couldn't afford enough to protect their data. If you need to see your and public money mismanaged and thrown away, just go to UC.
Citigroup in Mexico (Score:3, Interesting)
And you thought losing some customers' information was serious. Ha hah.
Re:Nice to know where their priorities lie (Score:2, Interesting)
The same way god felt bad after killing the first born child of every Egyptian? (Exodus 11:1-12:30)
Couldn't he have just knocked down a few pyramids?
Re:*blinks* (Score:5, Interesting)
More than likely they paid a consultant $3.5 million dollars to setup a secure backup system which would work flawlessly. Bought it. Installed it...
And then new IT director-minion-worked-at-walmart-last-week went in to "optimize" the server and kill any "useless" processes that were making it run slow, and killed the encryption process.
And then of course they backup for two years without encryption until they hire a $8 an hour "casual" to "catalog" and "clean up" the archives -- and he discovers that they aren't encrypted. Notifies his boss who really doesn't understand -- and nothing happens.
And then they have a security breach and are "caught off guard". Heads roll, new consultants are hired, and the process begins again.
Well, at least that's what seems to happen where I work.
Re:*blinks* (Score:3, Interesting)
Nah, not really. You see it's cheaper for Citibank not having to bother with such inconvenient struggles as encryption and confidentiality or even [ghasp] an in-house courrier service for confidential material and as long they don't even get a slap on the wrist why should they care in the first place? Such unbelievable negligent behavior seems to make good business sense nowadays.
It's about time that such criminally negligent entities, such as Citibanks senior management - the fish stinks from the head, as we German speakers say - get slapped really, really hard; possibly even looking at actual jail time. But that's unlikely since they probably bribed enough politicos for such a thing never to happen.
Maybe an EU comission (Citibank is doing business in Europe) should start to ask a few really, really hard questions under threat of suspension of their banking license. Not that shit doesn't happen here, but privacy of the population seems to have a significant higher value here, then a few bucks saved by business.
HEAVY FINE AND IMPRISONMENT (Score:2, Interesting)
There must come a time when we start to understand that any kind of personal information first belongs to the person from which it is derived. It is similar to personal property. And this kind of property must not be available for sale nor may the individual give up his right on this property.
This kind of law would make storing information on people more of a risk for the info gatherers.
1984 is on the way a bit late but coming so please, let's do somethings to stop it.
Re:Sensitive Data via UPS? (Score:2, Interesting)
Until you start attaching fines/penalties for not properly securing sensitive information, this will continue to happen because they save more money doing it this way with very little financial risk. Therefor, they will continue to do things this way since it is better for the bottom line, i.e. they make more money.
-Atrivis
Biometrics (Score:3, Interesting)
Re:Lecture Time: Buy a Scissors! (Score:2, Interesting)
Re:How often does this happen now? (Score:3, Interesting)
The first thought I had when I heard about this story is how much would that disk be worth if you sold it to the right people? And that gets my little tin foil hat on. Was it stolen?
Re:How often does this happen now? (Score:3, Interesting)
Doesn't even one of them think for a moment - "Huh? I wonder what we are doing to make sure that this doesn't happen to us?"
What might work is if one of the companies were to make it a selling point. If a credit company were to advertise their excellent record of protecting data, it might make people use them instead of the competition. Then the other companies would take notice as they lost customers.
Re:Nice to know where their priorities lie (Score:3, Interesting)
But don't let me get in the way of your seething hatred for Bush (who didn't pass the law, congress did.)
He signed it. So he passed it. Take a class, genius. I work in news. You want DVD or VHS?
Besides, what is the point? You think that I am shocked that members of congress are on the payrolls of Chase and Citigroup?
I have a complete ton of my Republican friends that hated this bill. Most financial counselors hate this bill. And they know more about it than both of us combined.
Re:Sensitive Data via UPS? (Score:2, Interesting)
Re:*blinks* (Score:3, Interesting)
Oh please. While UPS does indeed have a share in the blame, it's hardly worth mentioning. Their track record on losing/destroying packages is well known. They absolutely do NOT make any guarantee that every single package will make it through, and two out of three random people off the street can confirm that from personal experience. Their business model is essentially "usually gets there, for a reasonable price". There are numerous secure courier services that exist for this very reason: you cannot trust critical transfers to any of the mass carriers. Blame for the loss of the package goes to UPS. Blame for the loss of the data itself, which is truly the issue, sits squarely on the shoulders of whichever dumbass at Citi had those tapes put in a UPS mailer.